--- a/ChangeLog Tue Oct 28 22:23:50 2014 -0400
+++ b/ChangeLog Fri Oct 31 18:01:24 2014 -0400
@@ -1,8 +1,9 @@
Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul
+ * Fix handling of Self-Signed SSL/TLS Certificates when using the NSS version 2.10.10 (10/22/14):
--- a/libpurple/plugins/ssl/ssl-nss.c Tue Oct 28 22:23:50 2014 -0400
+++ b/libpurple/plugins/ssl/ssl-nss.c Fri Oct 31 18:01:24 2014 -0400
@@ -1044,9 +1044,10 @@
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
CERTCertificate *crt_dat;
PurpleCertificate *first_cert = vrq->cert_chain->data;
+ gboolean self_signed = FALSE; crt_dat = X509_NSS_DATA(first_cert);
@@ -1059,6 +1060,14 @@
CERTVerifyLogNode *node = NULL;
unsigned int depth = (unsigned int)-1;
+ *flags |= PURPLE_CERTIFICATE_SELF_SIGNED; + /* Handling of untrusted, etc. modeled after + * source/security/manager/ssl/src/TransportSecurityInfo.cpp in Firefox for (node = log.head; node; node = node->next) {
if (depth != node->depth) {
@@ -1077,13 +1086,18 @@
case SEC_ERROR_UNKNOWN_ISSUER:
case SEC_ERROR_UNTRUSTED_ISSUER:
- *flags |= PURPLE_CERTIFICATE_SELF_SIGNED;
*flags |= PURPLE_CERTIFICATE_CA_UNKNOWN;
+ case SEC_ERROR_CA_CERT_INVALID: + case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: + case SEC_ERROR_UNTRUSTED_CERT: case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
+ *flags |= PURPLE_CERTIFICATE_INVALID_CHAIN; case SEC_ERROR_BAD_SIGNATURE:
*flags |= PURPLE_CERTIFICATE_INVALID_CHAIN;
@@ -1091,12 +1105,12 @@
CERT_DestroyCertificate(node->cert);
- rv = CERT_VerifyCertName(crt_dat, vrq->subject_name);
- if (rv != SECSuccess) {
- purple_debug_error("nss", "Cert chain valid, but name not verified\n");
- *flags |= PURPLE_CERTIFICATE_NAME_MISMATCH;
+ rv = CERT_VerifyCertName(crt_dat, vrq->subject_name); + if (rv != SECSuccess) { + purple_debug_error("nss", "subject name not verified\n"); + *flags |= PURPLE_CERTIFICATE_NAME_MISMATCH; PORT_FreeArena(log.arena, PR_FALSE);